Currently, there exist a number of malware delivery techniques. A commonly used malware delivery technique involves the transmission of a malicious electronic mail (email) message to a computer or device controlled by a targeted user. Based on user activity, the malicious email message causes the computer to become infected. More specifically, the malicious email message may be structured to lure the targeted user to select a Uniform Resource Locator (URL) within the malicious email message which, upon selection, establishes communications with a web server that, unbeknownst to the user, is malicious. Thereafter, malware is uploaded and sensitive information may be subsequently downloaded from the infected computer.
For the last few years, anti-virus and email filtering industries have developed tools and techniques to identify and isolate potentially infected email messages. However, these traditional tools and techniques are not effective in detecting certain types of advanced, malicious email messages. To address this detection gap, one type of security appliance has been solely developed (and is currently available) to analyze an email message and determine whether the email message is likely infected with malware. In particular, this email analytic appliance analyzes incoming email messages, namely its header, content, links and attachments, in order to identify the presence of malware. Upon discovery of a malicious email message, the email analytic appliance alerts security personnel to quarantine the malicious email message and cleanse the infected computer.
Many customers deploy dedicated email analysis appliances as well as network monitoring appliances. However, some customers do not operate dedicated email analytic appliances. Instead, most of these customers simply deploy one or more security appliances that are configured to monitor network communications with one or more network devices to identify indicators of compromise (IOCs), namely malicious behaviors that suggest the presence of malware on a particular network device or particular network devices. While these types of security appliances are able to identify the presence of malware on a particular computer, they are not configured to analyze email messages for the presence of malware within these messages. As a result, without an email analytic appliance, a customer has no ability to reliably prevent delivery of malicious to targeted victim of attack. Protection against malicious email messages becomes more complex as the messages may lay dormant in the user's inbox for days or even weeks. This lack of detection has prolonged adverse effects on network security as subsequent malicious attacks may persist months later as long as the malicious email message is stored at an email server of the enterprise network and/or stored locally at a computer having access to the network.